Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches 19 Critical Browser Vulnerabilities

Microsoft’s Patch Tuesday updates for December 2017 address more than 30 vulnerabilities, including 19 critical flaws affecting the company’s Internet Explorer and Edge web browsers.

Microsoft’s Patch Tuesday updates for December 2017 address more than 30 vulnerabilities, including 19 critical flaws affecting the company’s Internet Explorer and Edge web browsers.

The critical vulnerabilities are memory corruption issues that can be exploited for remote code execution in the context of the targeted user. The security holes – in most cases related to the browser’s scripting engine – can be exploited by getting the target to visit a specially crafted website or a site that serves malicious ads (i.e. malvertising).

These flaws were reported to Microsoft by researchers at Google, Palo Alto Networks, McAfee and Qihoo 360. The Google Project Zero researcher known as Lokihardt has again been credited for finding many of the weaknesses.

Trend Micro’s Zero Day Initiative (ZDI) pointed out that one interesting vulnerability, albeit rated only “important,” is CVE-2017-11927, an information disclosure flaw in Windows that “takes us all the way back to the early days of Internet Explorer and CHM (compressed help) files.” The issue affects the Windows its:// protocol handler – ITS, or InfoTech Storage Format, is the storage format used in CHM files.

“In theory, you shouldn’t be able to access remote content using ITS outside of the Local Machine Zone thanks to a 2005 update,” ZDI explained in a blog post. “It appears that has been circumvented by this bug, as it allows attackers who trick users into browsing to a malicious website or to malicious SMB destinations to leak info. If an attacker can get the target to disclose the user’s NTLM hash, they could then attempt a brute-force attack to obtain the corresponding password.”

The list of vulnerabilities fixed this month also includes information disclosure flaws in Office, a spoofing issue in Exchange, a privilege escalation bug in SharePoint, and a remote code execution vulnerability in Excel.

According to Microsoft, none of the vulnerabilities patched this month have been exploited in attacks or disclosed publicly before fixes were released.

Earlier this month, Microsoft informed users that it had released a patch for a critical remote code execution vulnerability affecting its Malware Protection Engine. The flaw, discovered by the UK’s National Cyber Security Centre (NCSC), can be exploited to take control of the targeted system.

Advertisement. Scroll to continue reading.

After publishing an advisory with information on how users can protect themselves against recent attacks abusing the Dynamic Data Exchange (DDE) protocol, Microsoft announced on Tuesday that it has released a defense-in-depth update that disables DDE in supported versions of Word.

Adobe has only patched one moderate severity vulnerability in Flash Player this Patch Tuesday.

Related: Microsoft Patches Zero-Day, Many Other Flaws

Related: Microsoft Patches Office Zero-Day Used to Deliver Malware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.